claude-review
Pass
Audited by Gen Agent Trust Hub on Apr 21, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/claude-reviewexecutes theclaudeCLI with the--permission-mode bypassPermissionsflag. This flag is designed to suppress interactive security prompts, allowing the tool to read files and execute sub-skills (likeplan-eng-review) autonomously. - [DATA_EXFILTRATION]: The skill's primary function involves sending the content of local files or directory listings to Anthropic's servers via the Claude Code CLI for analysis. This is an intentional part of the review workflow but constitutes a data transfer to an external service.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8). It instructs a sub-agent to read and process untrusted data (the target files/directories) without robust boundary markers or 'ignore embedded instructions' warnings. A malicious artifact could contain instructions aimed at subverting the review process or influencing the agent's final decision (approve/revise/block).
- Ingestion points: The target file or directory path provided by the user is passed to the sub-agent for reading (
scripts/claude-review). - Boundary markers: Uses simple Markdown headers and horizontal rules (
---) to separate instructions from reference material, which may not be sufficient to prevent instruction leakage from the processed data. - Capability inventory: The sub-agent (Claude Code) has capabilities to read files, list directories, and invoke additional skills (
plan-eng-review,office-hours) with permissions bypassed. - Sanitization: No escaping or validation is performed on the content of the target files before they are processed by the AI.
Audit Metadata